Solution Overview

Application Scenarios

This solution is the best choice if your enterprise needs to manage and distribute applications across clouds, import cluster information quickly, implement application failover and observability, and control permissions globally.

• Unified Orchestration and Management of Multi-Cloud Resources and Applications
  Figure 1 Unified management of multi-cloud resources and applications
  

  Pain points:

  As your enterprise is running more clusters on the private cloud and heterogeneous public clouds, how to manage these clusters becomes a prominent problem.

  • Complicated cluster management: There are a large number of clusters that need to be configured repeatedly and managed differently. Also, there is no unified entry for API calls.
  • Scattered services: Applications have differentiated configuration in each cluster. Applications are hard to access each other across clouds, and cross-cluster migration of applications is also a problem.
  • Restricted scheduling: Resource scheduling, application availability, and auto scaling can only be implemented within clusters.
  • Cloud vendor lock-in: There is no neutral multi-cluster management platform. Cloud vendor lock-in happens frequently.

  Countermeasures:

  This solution enables unified orchestration and management of multi-cloud resources and applications, distributed resource collaboration and scheduling, and cross-cloud auto scaling of applications. With this solution, your enterprise can deploy applications across regions and clouds, reducing cloud costs.

  • Unified management of multi-cloud resources: Resources on multiple clouds can be connected with just a few clicks, and the latest cluster information can be synchronized in real time. This helps you easily check resource changes and manage cloud resources provided by different vendors on a unified interface.
  • Multi-cloud application orchestration: Cluster resources are abstracted into multiple cloud instances that are isolated from each other. All cloud applications can be released and maintained in a unified manner. Multi-dimensional scheduling policies are supported for transparent application access and auto scaling across clouds.
  • One-click application upgrade: Single-cloud applications can be upgraded to multi-cloud applications with just one click, at no costs.
  • No vendor lock-in: Multiple public cloud vendors and private cloud solutions can be selected to avoid relying on a single cloud vendor and to reduce cloud costs.
• Integration of Multi-Cloud Resource Orchestration and Application Delivery and O&M
  Figure 2 Integration of multi-cloud resource orchestration and application delivery and O&M
  

  Pain points:

  • Complex management: Cluster configuration and management differences among cloud platforms are challenging.
  • Difficult cluster lifecycle management: Clusters must be managed throughout their lifecycles, from deployment and running to upgrade, capacity expansion, monitoring, and deletion. It is time-consuming and error-prone to manually manage multiple clusters at the same time.
  • Complicated and diverse service requirements: As services expand and diversify, applications need to be deployed on different cloud platforms to meet requirements for performance, compliance, and geographical locations, which pose great challenges to continuous delivery across cloud environments.

  Countermeasures:

  This solution provides GitOps for integration and automation of multiple cloud platforms throughout the O&M lifecycle.

  • Declarative cloud resource orchestration: Cloud platform engineers can use declarative code to define cloud infrastructure resources and resource orchestration rules, and use GitOps to drive the execution of orchestration tasks. In this way, cluster lifecycle can be managed, and Day-2 operations can be completed.
  • GitOps for application delivery: By defining a more specific application release and delivery process using code, engineers can use Kubernetes and an automatic delivery pipeline to apply changes to any cluster, which ensures consistency user experience across clouds.
  • Declarative application O&M: Application resources and statuses are defined using code, and the orchestration engine drives automatic execution of application O&M.
• Multi-Cloud Application Service Governance
  Figure 3 Multi-cloud application service governance
  

  Pain Points:

  Applications are deployed on heterogeneous clouds in distributed mode and consist of a large number of services. However, when services call each other, the paths are complex.Also, there is no efficient service governance.

  Countermeasures:

  This solution enables unified governance of application services and provides highly compatible transparent communications, traffic management, dual-mode microservice governance, and end-to end observation for applications.

  • Transparent and smooth communications: Service meshes are used for cross-cloud and cross-cluster traffic management, such as consistent and transparent service discovery at the application layer, request routing, health checks, timeouts, retries, and rate limiting.
  • Dual-mode microservice governance: Microservice governance is implemented using both traditional methods and service meshes.
  • End-to-end observation: Applications and microservices are observed comprehensively, and application data is analyzed and displayed visually.
  • Cross-cloud service authentication and access control: Service-based authentication and authorization make access to services controllable.
• Cross-Cloud Service Continuity
  Figure 4 Cross-cloud service continuity: multi-active deployment and multi-cloud DR
  

  Pain Points:

  To ensure service continuity, cross-cloud application HA is required. However, challenges in technical complexity, scalability, availability, and elasticity must be addressed.

  Countermeasures:

  This solution allows you to deploy applications in clusters in different regions to prevent unavailability caused by faults in a single region. The resource management center of the multi-cloud collaboration platform automatically monitors the health of each cluster. If a single cloud environment becomes faulty, cross-cloud migration and traffic switchover can be quickly and automatically completed.

Solution Architecture

Service Architecture

The following figure shows the service architecture of this solution.

Figure 5 Service architecture

• The multi-cloud collaboration platform provided in this solution uses Huawei Cloud products, including Cloud Container Engine (CCE), SoftWare Repository for Container (SWR), Cloud Search Service (CSS), GaussDB(for MySQL), GeminiDB (for Redis), Elastic Cloud Server (ECS), Host Security Service (HSS), NAT Gateway, Elastic Load Balance (ELB), Elastic IP (EIP), Scalable File Service (SFS), Elastic Volume Service (EVS), and Volume Backup Service (VBS).
• In typical scenarios, the software used in this solution includes Global Management, UI, Workbench, Container Management, Image Registry, Service Mesh, Microservice Engine, Insight (for observability), Multicloud Management (Karmada), Network, Storage, Elasticsearch middleware (CSS can be used), and MySQL middleware (GaussDB(for MySQL) can be used).
• These components run as containers and interact with each other through the network in the CCE cluster. Elasticsearch and MySQL provide data storage for the rest of the components. The components interact with CCE through the Network and Storage components. (The Network component automatically connects to the CCE network through Container Network Interface (CNI), and the Storage component automatically connects to the CCE storage through Container Storage Interface (CSI).)
• This solution provides security, monitoring, and HA for applications. You can also use Huawei Cloud services as required.
• Both administrators and tenants (O&M personnel, application development/release personnel, storage administrators, and network administrators) can use the multi-cloud collaboration platform.
• The clusters on public or private clouds or self-managed Kubernetes clusters are connected to the multi-cloud collaboration platform over the Internet or VPN.

Deployment Architecture

This deployment architecture uses Huawei cloud native services, data services, and basic cloud services to provide compute, storage, and networking resources. DaoCloud multi-cloud collaboration platform provides multi-cloud cluster management, multi-cloud application orchestration, and multi-cloud service meshes for application modernization.

Figure 6 Deployment architecture

• Huawei Cloud products
  • The software used in this solution runs as containers on a CCE cluster consisting of ECSs.
  • Some components (such as Multicloud Management and Container Management) need to communicate with the API Server of the managed clusters. These components can be scheduled to any node in the cluster. A NAT gateway is configured for these nodes to ensure external network connectivity. You can also configure security groups or other stricter access policies based on security requirements.
  • Anti-DDoS monitors the traffic from the Internet to the public IP addresses of your servers in real time to detect DDoS attacks. It then scrubs attack traffic based on custom defense policies so that services run as normal. It also generates monitoring reports that provide visibility into network security.
  • ELB distributes incoming traffic to multiple containers in the cluster to handle traffic spikes at different time, which expands the service capabilities of the multi-cloud collaboration platform.
  • An EIP is bound to each load balancer and the NAT gateway so that the components in this solution can provide services accessible from the Internet.
  • HSS is designed to protect server workloads in hybrid clouds and multi-cloud data centers. It protects servers and containers and prevents web pages from malicious modifications.
  • EVS provides scalable block storage services with high reliability, high performance, and extensive specifications. EVS disks can be attached to pods for local storage.
  • CSS provides ELK services for this solution.
  • GaussDB(for MySQL) stores key service data.
  • GeminiDB (for Redis) is used to cache data.
• Software layer of the multi-cloud collaboration platform
  • Software: Major components include Global Management, Container Management, Service Mesh, Insight, Multicloud Management, Image Registry, Microservice Engine, Workbench, Network, and Storage, and UI. These components run as containers. Compute, storage, and networking resources are provided by CCE. The Network component is connected to the CCE network through CNI. The Storage component interacts with CCE by using CSI, so that EVS disks can be attached to pods for local storage.
  • O&M: Both users and administrators can log in to the multi-cloud collaboration platform to perform operations. The platform O&M can be performed on the nodes in a CCE cluster. Insight (the component for observability) can be used to monitor application and resource usages in real time and configure alarm rules to detect exceptions in a timely manner.
  • Security: The container image security of each component is guaranteed by DaoCloud, and the container runtime security is guaranteed by a cloud native security module. Advanced Anti-DDoS (AAD) and Web Application Firewall (WAF) from Huawei Cloud, or third-party services can be used to provide additional security. For the underlying infrastructure, Huawei Cloud HSS or third-party services can be used to ensure security.
  • HA deployment: In this solution, platform components are deployed in the same AZ but have multiple replicas distributed on different nodes. GaussDB(for MySQL) is deployed in primary/standby mode, and the primary node and read replicas run in different AZs.
  • Backups

    CSS backup: CSS stores monitoring metrics, traces, and logs of the multi-cloud collaboration platform and platform application containers. The index data in a cluster is backed up to avoid data loss. If data loss occurs or data of a specified duration needs to be retrieved, users can use the index data to restore the data quickly. For details, see Backup and Restoration Overview.

    GaussDB(for MySQL) backup: GaussDB(for MySQL) stores platform configuration data. Full backup and incremental backup are performed periodically. You can use a data backup to restore nodes to the state they were when the data backup was created. For details, see Restoring Instance Data to a Specific Point in Time.

    Multi-cloud collaboration platform backup: The etcd of the CCE cluster is backed up periodically.

• Key deployment points
  • At the access layer, Huawei Cloud ELB is used for load balancing. Users can access the multi-cloud collaboration platform over the Internet. For scenarios with high security requirements, VPN is recommended.
  • There are no customer services and data in the VPC. Therefore, applications and data are not allocated to different subnets.
  • In scenarios with high security requirements, a DMZ can be divided. The platform portal entrance is placed in the DMZ for O&M personnel and users to access. Users and O&M personnel can also access the platform through VPN.
  • If the platform portal is exposed externally, Huawei Cloud WAF and AAD can be used for protection.
  • The applications and data of the platform have multiple replicas that are distributed on different nodes in the CCE cluster for high availability and disaster recovery.
  • Insight takes care of the platform O&M. In extreme cases, if the platform cannot be accessed, engineers can log in to the nodes in the CCE cluster for O&M.
  • The middleware used by the platform includes Elasticsearch and MySQL, which can be replaced by CSS and GaussDB(for MySQL).
  • The storage component enables local volumes to be mounted to pods for data storage to meet the requirement of high-speed access.
  • Huawei Cloud IoT and AI services are not involved.
  • The multi-cloud collaboration platform provides identity authentication, access permissions, account management, and encryption. It also supports single sign-on (SSO) over LDAP and OIDC and allows users to use their existing account system by connecting to an identity provider.

Advantages

Solution Highlights:

• Higher efficiency

  More than 500,000 nodes and 2 million pods are managed centrally. The cluster search performance is improved by 10 folds. The IT infrastructure investment is reduced by more than 50%.

• Third-party cloud neutrality

  You can select cloud service providers based on your service requirements to reduce the dependence on cloud giants. There are no forbidden areas of cooperation with Huawei Cloud in the multi-cloud landscape and the independent controllable market.

• Unique features

  Abundant features are provided, such as cross-cloud failover, dual-mode microservice governance, one-click upgrade of single-cloud applications to multi-cloud applications, cross-cloud application migration, cross-cloud application scheduling, and high-performance multi-cluster resource retrieval.

• Technical guidance

  DaoCloud has core code maintenance capabilities and is one of the top contributors to core open-source projects. For instance, it ranked No. 2 in Karmada, No. 3 in Istio (a member of Steering Committee in 2022), and No. 3 in Kubernetes in the past year. DaoCloud also developed Clusterpedia (an open-source platform for resource search across clusters) and KWOK (a toolkit that enables setting up a cluster running thousands of nodes in seconds). Many projects have been patented.

• Application modernization standards

  DaoCloud has released a white paper on the application modernization method system and participated in the compilation of the Application Modernization Guide and Application Modernization Maturity Standards.

Customer Benefits:

• Consistent user experience

  Clusters of mainstream cloud vendors and open-source cloud native clusters can be managed centrally. Fine-grained permission management and multi-cloud O&M monitoring are provided to ensure a consistent user experience.

• Distributed resource collaboration

  Collaborative scheduling and cross-cloud auto scaling of resources on more than 500,000 nodes, as well as cross-cloud failover enable special deployment of applications in different geographical locations.

• Intelligent routing and elastic traffic management

  Cross-cloud and cross-cluster east-west communications, dual-mode microservice governance, grayscale releases, visualized traffic management, and various application traffic routing policies help manage applications more easily.